From: hsimeliere.opensource@witekio.com
To: openembedded-core@lists.openembedded.org
Cc: "Hugo SIMELIERE (Schneider Electric)"
<hsimeliere.opensource@witekio.com>,
Bruno VERNAY <bruno.vernay@se.com>
Subject: [OE-core][scarthgap][PATCH 4/7] gnutls: Fix CVE-2026-42015
Date: Wed, 20 May 2026 10:14:00 +0200 [thread overview]
Message-ID: <20260520081403.3052797-4-hsimeliere.opensource@witekio.com> (raw)
In-Reply-To: <20260520081403.3052797-1-hsimeliere.opensource@witekio.com>
From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>
Pick patch from [1] as mentioned in Debian report in [2].
[1] https://gitlab.com/gnutls/gnutls/-/commit/a3e7c50d3e1761e5ef1d4b225507cab8f2b2c3ca
[2] https://security-tracker.debian.org/tracker/CVE-2026-42015
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
---
.../gnutls/gnutls/CVE-2026-42015.patch | 50 +++++++++++++++++++
meta/recipes-support/gnutls/gnutls_3.8.4.bb | 1 +
2 files changed, 51 insertions(+)
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch
new file mode 100644
index 0000000000..dfc3506ccc
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch
@@ -0,0 +1,50 @@
+From 264da2a72033ed8890105231e5d36263d403ca60 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 20 Apr 2026 22:42:20 +0200
+Subject: [PATCH] x509/pkcs12_bag: fix off-by-one in bag element bounds check
+
+Appending elements to a PKCS#12 bag had a bounds check that
+prevented adding the 32nd element.
+On the other hand, it is possible to import one that already has 32.
+Subsequent appending then led to writing past the 32-element array,
+smashing its length.
+
+Tighten the check to reject any bag with 32 or more elements.
+
+We'll treat this vulnerability as a Low due to how contrived
+the requirements are: for the code to be vulnerable,
+it needs to append to an imported untrusted unencrypted PKCS#12 structure.
+
+Reported-by: Zou Dikai
+Fixes: #1840
+Fixes: CVE-2026-42015
+Fixes: GNUTLS-SA-2026-04-29-11
+CVSS: 6.1 Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
+Severity: Low
+
+CVE: CVE-2026-42015
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/a3e7c50d3e1761e5ef1d4b225507cab8f2b2c3ca]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit a3e7c50d3e1761e5ef1d4b225507cab8f2b2c3ca)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/x509/pkcs12_bag.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c
+index 911aeff93..38228613c 100644
+--- a/lib/x509/pkcs12_bag.c
++++ b/lib/x509/pkcs12_bag.c
+@@ -375,7 +375,7 @@ int gnutls_pkcs12_bag_set_data(gnutls_pkcs12_bag_t bag,
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+- if (bag->bag_elements == MAX_BAG_ELEMENTS - 1) {
++ if (bag->bag_elements >= MAX_BAG_ELEMENTS - 1) {
+ gnutls_assert();
+ /* bag is full */
+ return GNUTLS_E_MEMORY_ERROR;
+--
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index 69f90a3c01..20946c1030 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -48,6 +48,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
file://CVE-2026-33845-pre.patch \
file://CVE-2026-33845.patch \
file://CVE-2026-3833.patch \
+ file://CVE-2026-42015.patch \
"
SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
--
2.43.0
next prev parent reply other threads:[~2026-05-20 8:15 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-20 8:13 [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 hsimeliere.opensource
2026-05-20 8:13 ` [OE-core][scarthgap][PATCH 2/7] gnutls: Fix CVE-2026-33845 hsimeliere.opensource
2026-05-20 8:13 ` [OE-core][scarthgap][PATCH 3/7] gnutls: Fix CVE-2026-3833 hsimeliere.opensource
2026-05-20 8:14 ` hsimeliere.opensource [this message]
2026-05-20 8:14 ` [OE-core][scarthgap][PATCH 5/7] gnutls: Fix CVE-2026-42014 hsimeliere.opensource
2026-05-20 8:14 ` [OE-core][scarthgap][PATCH 6/7] gnutls: Fix CVE-2026-42010 hsimeliere.opensource
2026-05-20 8:14 ` [OE-core][scarthgap][PATCH 7/7] gnutls: Fix CVE-2026-5260 hsimeliere.opensource
2026-06-04 8:57 ` [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 Yoann Congal
2026-06-04 20:10 ` Yoann Congal
2026-07-06 10:48 ` Yoann Congal
2026-06-05 8:45 ` Yoann Congal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260520081403.3052797-4-hsimeliere.opensource@witekio.com \
--to=hsimeliere.opensource@witekio.com \
--cc=bruno.vernay@se.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox